|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
NFS through PF
I'm trying to mount NFS through PF.
PF is passing traffic on 111 and 2049 both tcp and udp. According to `rpcinfo -p` the mountd port is dynamic. How can I tie mountd to use one specific port? |
|
||||
You cannot tie mountd(8) to specific ports or port ranges on this OS. There are workarounds and alternatives available; see the thread in the misc@ archives that begins with the first post in the link below. Along with solution discussion, a number of posts reiterate the broader message regarding the lack of security for NFS over insecure networks, such as the Internet. As with the original poster you desire to move your data in plaintext beyond a firewall, which assumes over an insecure network, and this is considered a bad decision.
http://marc.info/?l=openbsd-misc&m=115092459119047&w=2 Last edited by jggimi; 14th November 2012 at 04:39 PM. Reason: clarity |
|
||||
That redesign could include the use of a VPN. The OpenBSD FAQ section on NFS, FAQ 6.7, recommends as ipsec(4) solution for NFS over an insecure network.
I suppose an admin might prefer net/openvpn, or ssh(1) tunneling to IPSec, but those solutions should be very carefully tested. I believe their higher communications overheads may have significant functional impact: I/O delays or I/O timeouts leading to functional problems with an application; perhaps even application failures. Last edited by jggimi; 14th November 2012 at 08:07 PM. Reason: clarity |
|
|||
@jggimi,
thx for for the misc@ link. I spent quite a bit of time searching but didn't come across this one. @rocket357, thx for the "unconventional" solution Does that have potential side effects for other services running on the same machine? Quote:
That should rather be called 'through a firewall' not 'beyond a firewall' |
|
||||
Quote:
Edit - The whole point of the "baddynamic" sysctls is to prevent a dynamically allocated port being set before a service that needs that particular port is started. If you're running ssh on 65022 (for whatever reason), you don't want an outbound connection to accidentally claim 65022 (which is within the legal range) as a temporary dynamic port, as that would cause ssh to not start. In short, I was being a smart alec. heh
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
|